feat(traits): Add new trait mem_preserver

This trait makes it easier to reason about code, as there is a snippet
(verify_mmr_successor) which can read from ND but does not modify
memory. In order to reason about the soundness of that snippet, this
trait `MemPreserver` is added.

It makes it easier to clarify that the field-access of
`verify_mmr_successor` is safe.

Author: Sword-Smith

tasm-lib/src/traits.rs

@@ -5,5 +5,6 @@ pub mod closure;
 pub mod compiled_program;
 pub mod deprecated_snippet;
 pub mod function;
+pub mod mem_preserver;
 pub mod procedure;
 pub mod rust_shadow;

tasm-lib/src/traits/accessor.rs

@@ -23,12 +23,13 @@ use super::rust_shadow::RustShadow;
 /// stack but can only read from memory. Note that it cannot write to static
 /// memory. It cannot read from any inputs or write to standard out. It cannot
 /// modify the sponge state.
-/// See also: [closure], [function], [procedure], [algorithm]
+/// See also: [closure], [function], [procedure], [algorithm], [mem_preserver]
 ///
 /// [closure]: crate::traits::closure::Closure
 /// [function]: crate::traits::function::Function
 /// [procedure]: crate::traits::procedure::Procedure
 /// [algorithm]: crate::traits::algorithm::Algorithm
+/// [mem_preserver]: crate::traits::mem_preserver::MemPreserver
 pub trait Accessor: BasicSnippet {
     fn rust_shadow(
         &self,

tasm-lib/src/traits/algorithm.rs

@@ -23,12 +23,13 @@ use super::rust_shadow::RustShadow;
 /// the dynamic memory allocator, and can take nondeterministic input. It cannot read from
 /// standard in or write to standard out.
 ///
-/// See also: [closure], [function], [procedure], [accessor]
+/// See also: [closure], [function], [procedure], [accessor], [mem_preserver]
 ///
 /// [closure]: crate::traits::closure::Closure
 /// [function]: crate::traits::function::Function
 /// [procedure]: crate::traits::procedure::Procedure
 /// [accessor]: crate::traits::accessor::Accessor
+/// [mem_preserver]: crate::traits::mem_preserver::MemPreserver
 pub trait Algorithm: BasicSnippet {
     fn rust_shadow(
         &self,

tasm-lib/src/traits/closure.rs

@@ -18,12 +18,13 @@ use super::rust_shadow::RustShadow;
 /// A Closure is a piece of tasm code that modifies the top of the stack without access to
 /// memory or nondeterminism or standard input/output.
 ///
-/// See also: [function], [algorithm], [procedure], [accessor]
+/// See also: [function], [algorithm], [procedure], [accessor], [mem_preserver]
 ///
 /// [function]: crate::traits::function::Function
 /// [algorithm]: crate::traits::algorithm::Algorithm
 /// [procedure]: crate::traits::procedure::Procedure
 /// [accessor]: crate::traits::accessor::Accessor
+/// [mem_preserver]: crate::traits::mem_preserver::MemPreserver
 pub trait Closure: BasicSnippet {
     fn rust_shadow(&self, stack: &mut Vec<BFieldElement>);
 

tasm-lib/src/traits/function.rs

@@ -23,12 +23,13 @@ use super::rust_shadow::RustShadow;
 /// larger than the dynamic memory allocator and the dynamic memory allocator value has to
 /// be updated accordingly.
 ///
-/// See also: [closure], [algorithm], [procedure], [accessor]
+/// See also: [closure], [algorithm], [procedure], [accessor], [mem_preserver]
 ///
 /// [closure]: crate::traits::closure::Closure
 /// [algorithm]: crate::traits::algorithm::Algorithm
 /// [procedure]: crate::traits::procedure::Procedure
 /// [accessor]: crate::traits::accessor::Accessor
+/// [mem_preserver]: crate::traits::mem_preserver::MemPreserver
 pub trait Function: BasicSnippet {
     fn rust_shadow(
         &self,

tasm-lib/src/traits/mem_preserver.rs

@@ -0,0 +1,204 @@
+use std::cell::RefCell;
+use std::collections::HashMap;
+use std::collections::VecDeque;
+use std::rc::Rc;
+
+use rand::prelude::*;
+use triton_vm::prelude::*;
+
+use crate::linker::execute_bench;
+use crate::linker::link_for_isolated_run;
+use crate::snippet_bencher::write_benchmarks;
+use crate::snippet_bencher::BenchmarkCase;
+use crate::snippet_bencher::NamedBenchmarkResult;
+use crate::test_helpers::test_rust_equivalence_given_complete_state;
+use crate::InitVmState;
+use crate::VmHasher;
+
+use super::basic_snippet::BasicSnippet;
+use super::rust_shadow::RustShadow;
+
+/// A MemPreserver cannot modify memory
+///
+/// An MemPreserver is a piece of tasm code that can do pretty much everything
+/// except modify memory, including static memory. It can read from any input
+/// and write to standard out. It can also modify the sponge state.
+/// See also: [closure], [function], [procedure], [algorithm], [accessor]
+///
+/// [closure]: crate::traits::closure::Closure
+/// [function]: crate::traits::function::Function
+/// [procedure]: crate::traits::procedure::Procedure
+/// [algorithm]: crate::traits::algorithm::Algorithm
+/// [accessor]: crate::traits::accessor::Accessor
+pub trait MemPreserver: BasicSnippet {
+    fn rust_shadow(
+        &self,
+        stack: &mut Vec<BFieldElement>,
+        memory: &HashMap<BFieldElement, BFieldElement>,
+        nd_tokens: VecDeque<BFieldElement>,
+        nd_digests: VecDeque<Digest>,
+        sponge: &mut Option<VmHasher>,
+    ) -> Vec<BFieldElement>;
+
+    fn pseudorandom_initial_state(
+        &self,
+        seed: [u8; 32],
+        bench_case: Option<BenchmarkCase>,
+    ) -> MemPreserverInitialState;
+
+    fn corner_case_initial_states(&self) -> Vec<MemPreserverInitialState> {
+        vec![]
+    }
+}
+
+#[derive(Debug, Clone, Default)]
+pub struct MemPreserverInitialState {
+    pub stack: Vec<BFieldElement>,
+    pub nondeterminism: NonDeterminism,
+    pub public_input: VecDeque<BFieldElement>,
+    pub sponge_state: Option<Tip5>,
+}
+
+impl From<MemPreserverInitialState> for InitVmState {
+    fn from(value: MemPreserverInitialState) -> Self {
+        Self {
+            stack: value.stack,
+            nondeterminism: value.nondeterminism,
+            public_input: value.public_input.into(),
+            sponge: value.sponge_state,
+        }
+    }
+}
+
+pub struct ShadowedMemPreserver<T: MemPreserver + 'static> {
+    mem_preserver: Rc<RefCell<T>>,
+}
+
+impl<T: MemPreserver + 'static> ShadowedMemPreserver<T> {
+    pub fn new(algorithm: T) -> Self {
+        Self {
+            mem_preserver: Rc::new(RefCell::new(algorithm)),
+        }
+    }
+}
+
+impl<T> RustShadow for ShadowedMemPreserver<T>
+where
+    T: MemPreserver + 'static,
+{
+    fn inner(&self) -> Rc<RefCell<dyn BasicSnippet>> {
+        self.mem_preserver.clone()
+    }
+
+    fn rust_shadow_wrapper(
+        &self,
+        _stdin: &[BFieldElement],
+        nondeterminism: &NonDeterminism,
+        stack: &mut Vec<BFieldElement>,
+        memory: &mut HashMap<BFieldElement, BFieldElement>,
+        sponge: &mut Option<VmHasher>,
+    ) -> Vec<BFieldElement> {
+        self.mem_preserver.borrow().rust_shadow(
+            stack,
+            memory,
+            nondeterminism.individual_tokens.to_owned().into(),
+            nondeterminism.digests.to_owned().into(),
+            sponge,
+        )
+    }
+
+    fn test(&self) {
+        for (i, corner_case) in self
+            .mem_preserver
+            .borrow()
+            .corner_case_initial_states()
+            .into_iter()
+            .enumerate()
+        {
+            println!(
+                "testing {} corner case number {i}",
+                self.mem_preserver.borrow().entrypoint(),
+            );
+
+            let stdin: Vec<_> = corner_case.public_input.into();
+
+            test_rust_equivalence_given_complete_state(
+                self,
+                &corner_case.stack,
+                &stdin,
+                &corner_case.nondeterminism,
+                &corner_case.sponge_state,
+                None,
+            );
+        }
+
+        let num_states = 10;
+        let seed: [u8; 32] = thread_rng().gen();
+        let mut rng: StdRng = SeedableRng::from_seed(seed);
+        for _ in 0..num_states {
+            let seed: [u8; 32] = rng.gen();
+            println!(
+                "testing {} common case with seed: {:#4x?}",
+                self.mem_preserver.borrow().entrypoint(),
+                seed
+            );
+            let MemPreserverInitialState {
+                stack,
+                public_input,
+                sponge_state,
+                nondeterminism: non_determinism,
+            } = self
+                .mem_preserver
+                .borrow()
+                .pseudorandom_initial_state(seed, None);
+
+            let stdin: Vec<_> = public_input.into();
+            test_rust_equivalence_given_complete_state(
+                self,
+                &stack,
+                &stdin,
+                &non_determinism,
+                &sponge_state,
+                None,
+            );
+        }
+    }
+
+    fn bench(&self) {
+        let mut rng: StdRng = SeedableRng::from_seed(
+            hex::decode("73a24b6b8b32e4d7d563a4d9a85f476573a24b6b8b32e4d7d563a4d9a85f4765")
+                .unwrap()
+                .try_into()
+                .unwrap(),
+        );
+        let mut benchmarks = Vec::with_capacity(2);
+
+        for bench_case in [BenchmarkCase::CommonCase, BenchmarkCase::WorstCase] {
+            let MemPreserverInitialState {
+                stack,
+                public_input,
+                sponge_state,
+                nondeterminism: non_determinism,
+            } = self
+                .mem_preserver
+                .borrow()
+                .pseudorandom_initial_state(rng.gen(), Some(bench_case));
+            let program = link_for_isolated_run(self.mem_preserver.clone());
+            let benchmark = execute_bench(
+                &program,
+                &stack,
+                public_input.into(),
+                non_determinism,
+                sponge_state,
+            );
+            let benchmark = NamedBenchmarkResult {
+                name: self.mem_preserver.borrow().entrypoint(),
+                benchmark_result: benchmark,
+                case: bench_case,
+            };
+            benchmarks.push(benchmark);
+        }
+
+        write_benchmarks(benchmarks);
+    }
+}

tasm-lib/src/traits/procedure.rs

@@ -30,12 +30,13 @@ use crate::VmHasher;
 /// in a function (lower case f, as in 'labelled scope'); and cannot be proved as
 /// a standalone program.
 ///
-/// See also: [closure], [function], [algorithm], [accessor]
+/// See also: [closure], [function], [algorithm], [accessor], [mem_preserver]
 ///
 /// [closure]: crate::traits::closure::Closure
 /// [function]: crate::traits::function::Function
 /// [algorithm]: crate::traits::algorithm::Algorithm
 /// [accessor]: crate::traits::accessor::Accessor
+/// [mem_preserver]: crate::traits::mem_preserver::MemPreserver
 pub trait Procedure: BasicSnippet {
     /// Returns standard output
     fn rust_shadow(